Mayo Clinic CISO Jim Nelms: 4 thoughts on health data security

Predictions for 2015 deemed the year the one of the cyberattack. So far, the year has largely lived up to its name.

In addition to the big name, far-reaching cyberattacks at Anthem, Premera Blue Cross, and Partners HealthCare, many medium-sized healthcare organizations were the victims of attacks and phishing incidents, such as Sacred Heart Health System in northwestern Florida and Evansville, Ind.-based St. Mary's Health.

Jim Nelms, CISO of Rochester, Minn.-based Mayo Clinic, spoke with the Wall Street Journal's CIO Journal about the growing threat of data breaches in healthcare and why it is harder to protect healthcare data than other types of data.

Here are four key thoughts from the interview.

On why it's harder to protect healthcare data than financial data: "Financial systems are very much more predictable. And now there's Internet of Things. It's not the Internet that's the problem. It's the 'things.' One-third to 40 percent of technology in a hospital is medical devices. They are special-purpose computers that do something to your body. That puts patients at risk, not just the corporate money…The stakes are higher.

Also, medicine is social. Doctors share information. Practices and hospitals share information. You don't find that in banks because information is a competitive edge for them. But in healthcare, there is a higher probability of loss or exposure of information through the human factor than in other industries."

On retaining talented IT people: "It's extremely hard. It's become quite a transient population because some companies can pay more. There's a plethora of issues and a dearth of people to solve them, especially at the higher levels. A CISO needs to read a balance sheet as well as they do a penetration report."

On the constant threat of attacks: "Exploitation is at an all-time high…Security is interrupt-driven. That means yesterday we might have been in the 90th percentile in defeating things across the wire. But if something comes up today, we could be in the 40th percentile. Everything we've done before doesn't matter when you have a new threat."

On the development of new security technologies: "Unfortunately, I do not [see new technologies that look promising]. There are ideas in infancy, but nothing ready. For the next period of time — I don't know how long — we are going to have to craft and use things that are going to be marginally successful. Information security in the last few years has changed from stopping things from happening to creating regular, positive change in the reduction of risk."